Endpoint Security , Governance & Risk Management , Healthcare
Patient Monitoring Software Vulnerabilities IdentifiedPhilips and DHS Issue Advisories; Mitigation Tips Offered
Federal authorities and medical device maker Philips have issued security alerts about security vulnerabilities in some of the company’s patient monitoring software.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
In alerts issued Thursday, Philips and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency note that several “low-to-moderate” security vulnerabilities were found in certain versions of the Philips IntelliVue Patient Monitor system, the Patient Information Center iX, or PIC iX, software and PerformanceBridge Focal Point.
The vulnerabilities require a low skill level to exploit, the advisories note. Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring and collection of access information and/or patient data. To successfully exploit the vulnerabilities, however, an attacker would need to gain physical access to surveillance stations and patient monitors or access to the medical device network.
The vulnerabilities identified include:
- Improper authentication;
- Improper check for certificate revocation;
- Improper neutralization of formula elements in a comma-separated value, or CSV, file;
- Cross-site scripting;
- Improper handling of length parameter inconsistency;
- Improper validation of syntactic correctness of input;
- Improper input validation;
- Exposure of resource to wrong sphere.
So far, there are no known exploits available for these issues, Philips says. And the company says it has not received any reports tied to the vulnerabilities of incidents affecting clinical use.
Security researchers in Germany discovered the flaws and notified the Federal Office for Information Security in Germany, which, in turn, reported the problems to Philips, CISA notes in its alert. Philips issued its advisory as part of its voluntary coordinated vulnerability disclosure program
Philips plans to release a series of updates to remediate all reported vulnerabilities for affected products.
Until those patches are available, the company recommends healthcare organizations take the following steps:
- Physically or logically isolate the Philips patient monitoring network away from the hospital local area network and use a firewall or routers that restrict access in and out of the patient monitoring network to only necessary ports and IP addresses.
- Limit exposure by ensuring the simple certificate enrollment protocol is not running unless it is actively being used to enroll new devices.
- When enrolling new devices using SCEP, enter a unique challenge password of eight to 12 unpredictable and randomized digits.
- Implement physical security controls to prevent unauthorized login attempts on the PIC iX application. Servers should be kept in controlled locked data centers. Access to equipment at nurses’ stations should be controlled and monitored.
- Only grant remote access to PIC iX servers on a must-have basis.
- Grant login privileges to the bedside monitor and PIC iX application on a role-based, least-privilege basis - and only to trusted users.
Previous Product Alert
The latest alerts follow an advisory that Philips issued in July on an "authentication bypass using an alternate path or channel” vulnerability in certain versions of the company's ultrasound systems (see: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems).
Some security experts note that more medical device manufacturers are voluntarily revealing security flaws in their products.
“Over recent years, partnerships with researchers, industry pressure, the media and regulatory changes have all moved manufacturers to realize doing this is in their best interest,” says Bill Aerts, executive director of Archimedes Center for Medical Device Security at the University of Michigan.
“Despite this industry trend, there are still plenty of manufacturers, especially small ones, that don't have this process in place to issue disclosures about security vulnerabilities. Lack of expertise and lack of resources in smaller manufacturers contributes to that.”